Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Okki Sync Mail

v2.0.1

完整的邮件自动化解决方案，集成 OKKI CRM。支持 IMAP 邮件自动捕获、SMTP 发送邮件、dry-run 模式、发送日志、速率限制、定时发送、签名模板、邮件规则、连接池优化、邮件转发等功能。自动同步 inbound/outbound 邮件到 OKKI 创建跟进记录（remark_type=102）。

⭐ 0· 75·0 current·0 all-time

byJaden's built a claw@cjboy007

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

✓

Purpose & Capability

Name/description require IMAP/SMTP and OKKI integration; required env vars (IMAP_*, SMTP_*, OKKI_CLI_PATH, VECTOR_SEARCH_PATH) and node/python binaries are coherent with the code (node scripts + python helper scripts). Requiring npm/node/python3 is reasonable given package.json and Python utilities.

Instruction Scope

SKILL.md and included scripts perform broad file and process actions: reading/writing local mail archive paths, running Python OKKI/vector-search scripts, and calling child_process.execSync. The code also posts email drafts/content to an external Discord channel (discord-review.js). Some instructions and files reference many absolute local paths (Obsidian vault, quotation workflow, workspace paths) and cron jobs — which is expected for an email automation tool but increases the surface area. Importantly, the skill's runtime reads .env files and other local files that are outside the skill directory (see discord-review.js's ENV_PATH = ../../.env), and the SKILL.md does not declare all environment variables actually used (e.g., DISCORD_BOT_TOKEN).

ℹ

Install Mechanism

Registry metadata says 'instruction-only / no install spec', but package.json and package-lock.json are present and SKILL.md shows 'npm install' in Quick Start. The absence of a formal install spec in the manifest is an inconsistency (user will likely need to run npm install manually). No remote download URLs or suspicious installers were found.

Credentials

Declared envs (IMAP_*, SMTP_*, OKKI_CLI_PATH, VECTOR_SEARCH_PATH) are appropriate. However, code also tries to load DISCORD_BOT_TOKEN from a .env two directories up and uses process.env when spawning child processes, and discord-review.js will send email content to discord.com if configured — DISCORD_BOT_TOKEN is not declared in requires.env. Reading a parent .env risks exposing unrelated secrets (agent/system-level) and is disproportionate to a skill that should confine itself to its own config directory.

ℹ

Persistence & Privilege

Skill is not always:true and is user-invocable (normal). It writes archives and review records to local directories and can be run from cron as documented. The main privilege concern is that configured review/approval pathways (Discord or local review files) can trigger actual sends via scripts/smtp.js; combined with undeclared credential access this increases risk if misconfigured, but the skill itself does not request forced global persistence or modify other skills.

Scan Findings in Context

[ignore-previous-instructions] expected: SKILL.md deliberately includes a security warning about prompt-injection (containing this pattern) to instruct the agent not to treat email content as executable instructions. The scanner flagged the pattern but its presence here is an intentional defense, not an obvious injection attempt.

What to consider before installing

This skill mostly does what it says (IMAP/SMTP + OKKI), but take these concrete precautions before installing or providing credentials: - Audit the following files first: discord-review.js, auto-capture.js, scripts/smtp.js, scripts/imap.js, and any files that call child_process.exec/execSync. They handle external network calls and spawn other programs. - Do NOT place global or agent-level secrets in a parent .env. The code attempts to load ../../.env (discord-review.js); supply only a skill-local .env in the skill folder to avoid accidental leakage. - If you don't intend to use Discord review, do not set DISCORD_BOT_TOKEN or configure Discord; otherwise the skill will send email drafts/content to discord.com. The skill does not list DISCORD_BOT_TOKEN in its declared env requirements — this is an undeclared external endpoint. - Run the skill in an isolated/test environment first (use a disposable mailbox and disposable OKKI test credentials). Confirm that --dry-run works and that real sends are blocked until you explicitly approve. - Because the skill spawns python scripts using paths you supply (OKKI_CLI_PATH, VECTOR_SEARCH_PATH), ensure those paths point to audited/trusted scripts; an attacker-supplied path could run arbitrary code. - Consider restricting filesystem access (ALLOWED_READ_DIRS) and network egress for the environment running this skill, or review/modify the code to stop reading parent .env and to require explicit approval before any outbound network call. If you cannot audit the code or are uncomfortable with Discord/external posting or with parent .env access, treat this skill as unsafe to run with production credentials.

✗

auto-capture.js:88

Shell command execution detected (child_process).

✗

discord-review.js:205

Shell command execution detected (child_process).

✗

kb-retrieval.js:29

Shell command execution detected (child_process).

✗

okki-sync.js:65

Shell command execution detected (child_process).

✗

scripts/smtp-wrapper.js:45

Shell command execution detected (child_process).

✗

auto-capture.js:18